I am building a method for users of my website to link their accounts together, so that resources can be shared between them. My process so far is:
I'm wondering how secure I need to be with this final step. My confirmation link is in the format: domain.com/link-confirm.php?fromid=xxx&toid=yyy
In theory, it would be possible for anyone to spoof this link, if they knew the user id of their target, thus setting up a connection without permission.
I tried hashing both user ids, then scanning through the user database for matches, but the password_verify function takes so long to run that the page times out (and that's with only 1000 users).
What I would like to know is: Does my plan above make sense? Is there a neater way of doing it? Am I right to be concerned about the spoofing (connecting the accounts does not in itself share any data between users, it merely makes it possible for either user to initiate)?
Thanks
You can just encrypt both id values and after obtaining it from get - decrypt them, hashes don't need to be used here. That way it will take thousands of years for somebody to brute force spoof them.